So we have Anyconnect configured to talk to our RADIUS server, which then handles all the authentication for user access etc.

Whilst this is working and I can give people access or remove access simply by removing or adding them to the security group I configured, I wanted to go a bit further.

Basically, we want to stop staff using non company devices to use the VPN. I tried configuring so it checked the users name as well as the machine name\domain membership etc. but this doesn't appear to work.

Any ideas how I can have a group for user access, that also ensures the device being used, is a domain member and not someone's iPad etc.,?

The Anyconnect is outsourced and configured by our supplier, so any changes suggested for there will take some time to come back to you guys on, as I will need to have the vendor make the changes. Hoping this is a simple config issue on the RADIUS however?

This person is a verified professional.

We set up a system to do this with the older VPN client. We're currently trying to adapt it to Anyconnect, but haven't gotten there yet.

The concept is that the ASA generates a self-signed certificate. We install that on the company device using our admin creds. The cert can't be exported off the device and it has to be installed per user. The VPN client uses that to authenticate to the ASA, then the user authenticates via radius. It absolutely limits access to machines that we personally set up. Because we're setting access up for 3rd parties (local police departments), we don't control the hardware. This gives us a chance to do a health-check on them.

If we want to disable VPN access, we revoke the certificate associated with that particular laptop.